了解这个过程之后就能发现hook中断的地方可以有很多。。。
跳过中断硬件支持的部分,从系统的角度去看
Cpu从idt表中查找到routine地址,这个地址实际是保存在中断对象中
kd> !idt
Dumping IDT:
37: 806e6864 hal!PicSpuriousService37
3d: 806e7e2c hal!HalpApcInterrupt
41: 806e7c88 hal!HalpDispatchInterrupt
50: 806e693c hal!HalpApicRebootService
62: 81768814 atapi!IdePortInterrupt (KINTERRUPT 817687d8)
63: 815f8b5c USBPORT!USBPORT_InterruptService (KINTERRUPT 815f8b20)
USBPORT!USBPORT_InterruptService (KINTERRUPT 815efd98)
73: 815fb654 NDIS!ndisMIsr (KINTERRUPT 815fb618)
82: 81799dd4 atapi!IdePortInterrupt (KINTERRUPT 81799d98)
83: 8179850c SCSIPORT!ScsiPortInterrupt (KINTERRUPT 817984d0)
93: 817d1dd4 i8042prt!I8042KeyboardInterruptService (KINTERRUPT 817d1d98)
a3: 817d1b64 i8042prt!I8042MouseInterruptService (KINTERRUPT 817d1b28)
b1: 8179fd84 ACPI!ACPIInterruptServiceRoutine (KINTERRUPT 8179fd48)
b2: 815987fc serial!SerialCIsrSw (KINTERRUPT 815987c0)
b4: 815a5044 portcls!CKsShellRequestor::`scalar deleting destructor'+0x26 (KINTERRUPT 815a5008)
c1: 806e6ac0 hal!HalpBroadcastCallService
d1: 806e5e54 hal!HalpClockInterrupt
e1: 806e7048 hal!HalpIpiHandler
e3: 806e6dac hal!HalpLocalApicErrorService
fd: 806e75a8 hal!HalpProfileInterrupt
fe: 806e7748 hal!HalpPerfInterrupt
kd> dt _KINTERRUPT 817687d8
nt!_KINTERRUPT
+0x000 Type : 22
+0x002 Size : 484
+0x004 InterruptListEntry : _L